Wireshark · Wireshark-users: Re: [Wireshark-users] Extracting files from pcap

Wireshark-users: Re: [Wireshark-users] Extracting files from pcap

From: Jim Balo <jimbalo22@xxxxxxxxx>

Date: Sun, 12 Oct 2008 22:45:47 -0700 (PDT)

Yes, one-by-one seems to work fine for me too - thanks.

Now, on large pcap files one-by-one will be quite tedious. Do you (or anyone) know what programs are out there to automate extraction of various files from a pcap? I have used Network Miner and it works quite well on pcap files of moderate size. Is this the best tool, or are there other alternatives out there?

Thanks,

JB

--- On Sun, 10/12/08, j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx> wrote:

From: j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Extracting files from pcap
To: jimbalo22@xxxxxxxxx, "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Date: Sunday, October 12, 2008, 1:03 PM

Hi Jim,

In my experience you better save the items one by one (Save As in stead of
Save All).
Most of the times there are a lot of "/" or "?" and you can
not use these
for filenames.

HTH
Joan


>-- Oorspronkelijk bericht --
>Date: Sun, 12 Oct 2008 12:41:56 -0700 (PDT)
>From: Jim Balo <jimbalo22@xxxxxxxxx>
>To: Community support list for Wireshark
<wireshark-users@xxxxxxxxxxxxx>,
>	Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
>Subject: Re: [Wireshark-users] Extracting files from pcap
>Reply-To: jimbalo22@xxxxxxxxx,
>	Community support list for Wireshark <wireshark-users@xxxxxxxxxxxxx>
>
>
>Thanks for the reply.
>?
>I tried this, but Wireshark just hung when trying "Save All"
(been sitting
>there for 30 minutes now. The pcap is small - only 90K).? I'll try
saving
>only select objects, etc. later and see if that works better.? Have you
been
>using it w/o problems?
>?
>JB
>
>If the file is transferred using HTTP, you could try File > Export >
>Objects > HTTP.
>
>On Sun, Oct 12, 2008 at 8:57 AM, Jim Balo <jimbalo22@xxxxxxxxx>
wrote:
>> Hi,
>>
>> I am trying to learn how to extract transferred files from pcap dumps.
>>
>> I have a pcap file with an http data transfer that is gzip-encoded
>> ("Accept-encoding: gzip,deflate" in the http header).  I
tried
>selecting and
>> exporting the data portion of the two packages that seemed to be part
of
>> this transfer and then concatenate them, but when I try to gunzip it,
I
>get
>> "unexpected end of file."  Using Network Miner, the file
decodes
>just fine.
>>
>> I would like to learn how to do this using only Wireshark - does
anyone
>know
>
>
>
>      
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>https://wireshark.org/mailman/listinfo/wireshark-users

References:
- Re: [Wireshark-users] Extracting files from pcap
  - From: j . snelders

Prev by Date: Re: [Wireshark-users] Debugging SSHv2, decrypting data
Next by Date: [Wireshark-users] Expert Info Questions
Previous by thread: Re: [Wireshark-users] Extracting files from pcap
Next by thread: [Wireshark-users] Expert Info Questions
Index(es):
- Date
- Thread